From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: [PATCH] Support for auditing on the actions of a not-yet-executed process. Date: Fri, 2 May 2014 10:49:56 -0400 Message-ID: <20140502144956.GE24821@madcap2.tricolour.ca> References: <1345749954-28749-1-git-send-email-pmoody@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1345749954-28749-1-git-send-email-pmoody@google.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Moody Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 12/08/23, Peter Moody wrote: > eg: > > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe=/bin/bash -F success=1 > > to see instances of /bin/bash opening a non-local socket. Or > > -a exit,always -F arch=b64 -S socket -F 'a0!=1' -F exe_children=/bin/bash -F success=1 > > to instances of /bin/bash, and any descendant processes, opening a non local socket. In addition to these sample rules, do you have a command or script to trigger it? > proposed https://www.redhat.com/archives/linux-audit/2012-June/msg00002.html > and it seemed like there was interest. > > Signed-off-by: Peter Moody > --- > trunk/lib/errormsg.h | 2 +- > trunk/lib/fieldtab.h | 2 ++ > trunk/lib/libaudit.c | 11 +++++++++++ > trunk/lib/libaudit.h | 7 ++++++- > 4 files changed, 20 insertions(+), 2 deletions(-) > > diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h > index 4d996d5..cd595ec 100644 > --- a/trunk/lib/errormsg.h > +++ b/trunk/lib/errormsg.h > @@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = { > { -15, 2, "-F unknown errno -"}, > { -16, 2, "-F unknown file type - " }, > { -17, 1, "can only be used with exit and entry filter list" }, > - { -18, 1, "" }, // Unused > + { -18, 1, "only takes = operator" }, > { -19, 0, "Key field needs a watch or syscall given prior to it" }, > { -20, 2, "-F missing value after operation for" }, > { -21, 2, "-F value should be number for" }, > diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h > index c0432cc..245b541 100644 > --- a/trunk/lib/fieldtab.h > +++ b/trunk/lib/fieldtab.h > @@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" ) > _S(AUDIT_FILTERKEY, "key" ) > > _S(AUDIT_FIELD_COMPARE, "field_compare" ) > +_S(AUDIT_EXE, "exe" ) > +_S(AUDIT_EXE_CHILDREN, "exe_children" ) > diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c > index 20eaf5f..06eed86 100644 > --- a/trunk/lib/libaudit.c > +++ b/trunk/lib/libaudit.c > @@ -1400,6 +1400,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, > else > return -21; > break; > + case AUDIT_EXE_CHILDREN: > + case AUDIT_EXE: > + { > + struct stat buf; > + if ((stat(v, &buf)) < 0) > + return -2; > + if (op != AUDIT_EQUAL) > + return -18; > + rule->values[rule->field_count] = (unsigned long)buf.st_ino; > + } > + break; > case AUDIT_DEVMAJOR...AUDIT_INODE: > case AUDIT_SUCCESS: > if (flags != AUDIT_FILTER_EXIT) > diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h > index 89dd588..2c8a802 100644 > --- a/trunk/lib/libaudit.h > +++ b/trunk/lib/libaudit.h > @@ -243,6 +243,12 @@ extern "C" { > #ifndef AUDIT_FIELD_COMPARE > #define AUDIT_FIELD_COMPARE 111 > #endif > +#ifndef AUDIT_EXE > +#define AUDIT_EXE 112 > +#endif > +#ifndef AUDIT_EXE_CHILDREN > +#define AUDIT_EXE_CHILDREN 113 > +#endif > > #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID > #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 > @@ -524,4 +530,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule); > #endif > > #endif > - > -- > 1.7.7.3 - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545